Security flaw in BMW's ConnectedDrive detected

January 30, 2015 //
By Christoph Hammerschmidt

The German automobile association ADAC has revealed a serious security vulnerability in BMW's connected car technology. Affected are some 2.2 million vehicles of the BMW, Mini and Rolls Royce brands worldwide. BMW reacted quickly - the flaw has already been fixed, the company said in a press release.

ADAC testers found a security gap that allows unauthorised persons to unlock the vehicle through a mobile connection. In the ConnectedDrive scheme, BMW's connected car implementation, the vehicles are equipped with their own wireless cellular connection independently of the driver's cellphone. Therefore they can be reached via mobile phone networks. Authorised users (such as the driver) can use the technology to read out status messages (for instance fuel gauge or parking position). The ADAC test proved a security gap that affected the transmission path via mobile networks, enabling hackers to unlock the vehicle and access its interior. The operation does not leave any traces and is a matter of minutes, the testers said.

In an apparently coordinated approach, BMW reacted immediately (actually, the BMW release reached eeNews Europe before the ADAC message) and assured drivers that access to functions related to driving was never possible. The carmaker has already started to fix the problem by automatically updating the related software across the vehicle's mobile connection. The wireless connection is utilising the HTTPS protocol - a scheme that involves data encryption as well as authentication. Interestingly, BMW has started the updates already on December 8, 2014 - a hint that the security gap has already been known for a while.